Authentication methods for security-critical services often have to be replaced over time by newer and better methods. One example of this is the EC card, whose original version allowed information stored in an existing magnetic strip to be used in conjunction with a PIN (Personal Identification Number) for the purpose of authorizing access to an associated account. However, there has recently been an increasing number of so-called skimming attacks, in which the card is copied by means of additional devices attached to the automatic teller machines and the PIN is illicitly obtained by suitable technical means. The contents of the magnetic strip are then copied to a new card, thereby allowing unauthorized access to the account. The data from the magnetic strip is usually encrypted or protected by a cryptographic checksum, such that the information cannot be read without knowledge of the central key. However, an unauthorized user who has copied the entire magnetic strip and is in possession of the PIN does not need this central key.
In the meanwhile, newer EC cards therefore support an integrated smartcard, which cannot be copied as easily as a magnetic strip. This offers considerably greater security than the magnetic strip-based method. In order to ensure backwards compatibility with existing systems, the magnetic strip-based method is nonetheless still supported, thereby avoiding the need to replace all automatic teller machines at the same time.
The automatic teller machine or card reader checks the presence of a contacted smartcard chip by means of a galvanic connection to the chipcard contacts on the card. The presence of a smartcard chip can be detected, for example, because it transmits an ATR message (answer to reset) when the supply voltage is applied. If a smartcard chip is detected, the smartcard-based authentication method is used instead of the magnetic card-based authentication method. If no smartcard chip is detected, however, the existing magnetic strip-based authentication method is used.
In this context, the problem arises that it is still easy to copy the magnetic strip of cards which support both the magnetic strip-based authentication method and the smartcard-based authentication method. A copied card is then also accepted by automatic teller machines which would actually support both the magnetic strip-based authentication method and the smartcard-based authentication method. Such attacks are also called “bidding-down” attacks.
Bidding-down attacks are known in the context of security protocols for authentication and key negotiation. An authentication protocol supports a plurality of variants having various strengths. The two communication partners initially exchange information relating to the variants that are supported in each case. The strongest of the variants supported by both is selected and used in the protocol routine. Since the initial information exchange is not yet cryptographically protected against tampering, however, an unauthorized user can manipulate the exchanged information in such a way that a weak method is selected, although both communication partners would also support strong methods. In order to achieve this, the unauthorized user pretends that a communication partner only supports this weak variant. As a countermeasure, many protocols check the integrity of the initial information exchange retrospectively when the authentication and key negotiation are complete. Checksums are calculated, transferred and verified for this purpose.